A serious data-stealing vulnerability in IE8 has come to light, but it's not new- it's been quietly stealing data (possibly yours) since at least December 2009 (and perhaps much longer than that, too. Now, get ready to put on your "shocked face", because it turns out that Microsoft has known about it for at least that long and done…nothing.
Back in December of 2009, security researcher Chris Evans reported this bug in a blog post. Microsoft leapt into action and did nothing, not one thing. No patch. No advisory. No corrective measures. This is a great example of how some companies respond to a threat while others just hit the snooze button.
In December all of the major browsers (IE, Firefox, Chrome, Safari and Opera) were susceptible to this particular attack. Within a short period of time, however, Firefox, Chrome, Safari and Opera all fixed the vulnerability and released patches. But not Microsoft. Yes, as of today, this attack works just fine on the latest, fully patched release of IE8, the "safest browser we've ever released", according to the Microsoft
Spin Marketing Team.
The vulnerability works like this: if a victim visits a given Web site and authenticates himself to the site, and then visits a site containing the attack code, the attacker can then hijack the user's session and extract data- including possibly sensitive or confidential data. A working example here shows how the bug could permit the attacker to force IE to to post tweets onto Twitter. And if it can do that, well, the sky is probably the limit.
Even worse, a note on the SecLists site at the URL above suggests that "There's evidence to suggest that Microsoft has been aware of this since at least 2008." Wonderful.
So our hat is off to Microsoft, for being so far behind the security curve that they can't even see the curve. And for not caring about vulnerabilities brought to their attention, as well as for authoring the most insecure browser in recorded history. But when you're the largest, richest software company on the planet it's easy to see how little things like ta two-year vulnerability could slip by you, even after all the other guys have fixed it.